Elcomsoft iOS Forensic Toolkit 8.0 brings forensically sound bootloader-based extraction for select iPhone & iPad models

Elcomsoft iOS Forensic Toolkit 8.0 is a major release bringing support for repeatable, verifiable, and truly forensically sound bootloader-level extraction to a wide range of Apple devices, and featuring a refreshed, command-line driven user interface.

Elcomsoft iOS Forensic Toolkit 8.0 offers forensically sound bootloader-level extraction of 76 Apple devices ranging from the ancient iPhone 4 all the way up to the iPhone X, a large number of iPad, iPod Touch, Apple Watch, and Apple TV models. The newly developed checkm8 extraction process supports OS releases ranging from iOS 7 through iOS 15.7 in three different flavors (iOS, tvOS, watchOS) for three different architectures (arm64, armv7, armv7k). Limited iOS 16 support is available.

checkm8 extraction

For devices based on the armv7 and armv7k architecture full passcode unlock along with file system extraction and keychain decryption are available. For newer arm64-based devices, full file system extraction and keychain decryption are supported for devices with a known or empty passcode. Finally, the latest supported range including the iPhone 8, 8 Plus and iPhone X requires removing the passcode prior to extraction on iOS 14 through iOS 15.7. iOS 16 support is limited due to the new SEP fix on A11-based devices.

The new checkm8 extraction process we developed is the cleanest yet. There are no log entries added on the device, and no changes are made to the system or data partition. Our unique extraction process is developed from ground up, with all steps of the process performed completely in the device’s volatile memory. The data remains untouched, enabling repeatable, verifiable extractions.

Our checkm8 solution supports all versions of iOS that can be installed on supported hardware up to and including iOS 15.7. In addition, the extraction process supports all compatible tvOS and watchOS installed on supported Apple Watch and Apple TV models.

The unique, forensically sound checkm8 process with 100% of the patching occurring in the device RAM enables sound, repeatable and verifiable extractions. For 64-bit devices with unknown screen lock passwords a limited BFU (Before First Unlock) extraction is available, while USB restrictions can be completely bypassed.

New user experience

Elcomsoft iOS Forensic Toolkit 8.0 brings a new, advanced user experience built around the command line. The use of the command line enables full control over every step of the extraction workflow, allowing experts to stay in control of every step of the extraction process. Thanks to the command line, experts can also build their own scripts to automate their specific routines.

With this update, Elcomsoft iOS Forensic Toolkit becomes the most advanced iOS acquisition tool on the market. The toolkit now supports all possible acquisition methods including advanced logical, agent-based and checkm8-based low-level extraction.

Release notes

  • New command-line interface
  • Added checkm8 extraction for all supported iPhones & iPads
  • Added checkm8 extraction for Apple TV 3, Apple TV HD and Apple TV 4K (1st gen)
  • Added checkm8 extraction for Appel Watch S3
  • Media files acquisition now saves all files into a single archive (.tar)
  • Added pairing/unpairing commands
  • Added ssh and scp commands to interact with the device
  • Added serial logging (requires DCSD cable)
  • Multiple fixes and improvements in logical acquisition
  • Keychain extraction fixes

Mais